The Rabbit R1, launched in late April 2024, has been met with mixed reviews, with many considering it less useful than Humane’s AI Pin. MaagX’s Joe Maring gave it a one-star rating, calling it a “buggy, flawed, and unsuccessful mess.” Now, adding to the device’s woes, Rabbit is facing reports of a significant data breach potentially exposing sensitive user information.
Rabbitude, a reverse engineering project focused on the R1, claims to have accessed the Rabbit codebase and discovered several hardcoded API keys. These vulnerabilities reportedly allow access to a range of functionalities, including:
- Accessing all past R1 responses, potentially containing personal information
- Bricking all R1 devices
- Manipulating the responses of all R1 devices
- Replacing the voice on all R1 devices
Furthermore, API keys for the following services were also allegedly exposed:
- ElevenLabs (text-to-speech)
- Azure (an older speech-to-text system)
- Yelp (review lookups)
- Google Maps (location lookups)
The Settings page on the Rabbit R1.
Rabbitude highlighted that the exposed ElevenLabs API keys granted full privileges, including access to past text-to-speech messages, voice modification, custom text replacements, voice deletion, and the ability to disable the rabbitOS backend, effectively bricking all R1 devices. While Rabbit has reportedly revoked the ElevenLabs API key, this action also temporarily disrupted Rabbit devices.
These permissions are concerning for any device, but particularly alarming for an always-on, voice-activated AI gadget equipped with cameras. Rabbitude claims to have contacted the Rabbit Team, who are aware of the leaked API keys. However, according to Rabbitude, the company has “chosen to ignore it,” and the API keys remain valid. This claim is supported by a tweet from Rabbitude stating their ability to read all R1 responses for a month, with Rabbit’s alleged inaction despite being aware of the issue.
Someone holding the Rabbit R1 outside.
Engadget also contacted Rabbit and received confirmation of their awareness of the “alleged” data breach. Rabbit stated their security team was investigating and currently had no knowledge of any customer data leak or system compromise. They promised an update if any relevant information emerged.
This security lapse appears to be a serious concern. While the Rabbit R1 offers unique features, its flaws, particularly the security vulnerabilities, are substantial enough to warrant discontinuing its use, at least for now. Ultimately, any functionality provided by the $199 Rabbit R1 (plus a required data plan) can be readily replicated by a smartphone.
